During the baseline phase in the risk reduction model, what should you establish and begin doing?

• A. Establish business metrics and begin sending reports to business stakeholders
• B. Deploy full DLP coverage across all endpoints
• C. Create new data categories for classification
• D. Schedule quarterly security training

Answer: (A)

The baseline phase is about setting up a measurement frame for risk and data protection. You define business metrics that reflect what you’re protecting, establish how you’ll measure current data handling and risk, and start reporting those findings to business stakeholders. This creates a shared understanding of the starting point and provides a clear path for tracking improvement and accountability over time. Deploying full DLP coverage, creating new data categories, or scheduling training are activities that come after you’ve established the baseline metrics and reporting plan, so they don’t fit the primary goal of the baseline phase.